• by Bill McCloskey , April 15, 2004

Listening to this week's 9/11 hearings testimony regarding the FBI's complaints that lack of funds made it difficult to do its job properly, I was reminded of an incident that took place about a year ago.

I had received yet another email offer for Norton Utilities. At that time, there was quite a debate on whether clicking on the unsubscribe link in these emails was a good idea or not. One side said: "Don't click on the unsubscribe link. It will only prove that your email is active, and you will receive even more spam." The other side said: "Email is so cheap that nobody is monitoring whether the email is active or not. They are just sending it the same 10 million names. Unsubscribing will at least get you off the legitimate email lists, and won't have any effect on the volume you receive from the illegitimate mailers."

My personal opinion was that I didn't see how I could receive MORE offers for Norton Utilities than I was getting at the time. So I decided to do the unthinkable and attempt to unsubscribe from the list.

I clicked on the link and to my surprise, instead of going to an unsubscribe page, I was staring at the Web server's file structure. There was a file called "orders," which I clicked on--and there, staring me in the face, were hundreds of names and credit card numbers: all people who had purchased the software from this "Affiliate" marketer.

What to do? The first thing I did was a whois lookup on the domain of the site. The contact info in the whois database turned out to be bogus, and a quick Google search revealed that the domain's registrant was a known spammer who hid his contact info and identity.

My next call was to Norton. "You have a rogue affiliate exposing people's credit card numbers," I explained. But Norton was unmoved. They had no control over their affiliates. In fact, many of the so-called affiliates were actually selling counterfeit copies of the Norton Utilities--and, according to the spokesman I talked with, Norton was powerless to stop them.

After discussing the issue with some colleagues, it was suggested that I call the FBI. Now, my impressions of the FBI are informed by movies: incredibly sophisticated computer databases, plugged-in individuals with a vast array of high-tech equipment: you know, stuff from Mission Impossible.

The actual experience of calling the FBI was more along the lines of a trip to the DMV. After explaining the problem to many people as I got shifted from place to place, and after facing a series of accusatory questions ("Now why were YOU looking at these credit card numbers? How did YOU get access to this information?"), I finally got routed to the right person.

After explaining the situation one more time and trying to convince them that it wasn't me that was the criminal here, I finally said: "Here is the URL. Go there yourself and you'll see what I'm talking about."

After a bit of a pause, the woman on the other line said: "We don't have computers with Internet access."

The division of the FBI responsible for Internet fraud did not have access to the Internet!

So much for Mission Impossible.

Well then... who DO you call? They told me to call the Secret Service.

That's when I found out that the Secret Service is the branch of the government that handles Internet credit card fraud. And the Secret Service had a computer with an Internet connection, amazingly enough. But by this time, the Website had been fixed and when they went there, all it showed was the unsubscribe screen. And that was the end of it... except, I haven't really seen any Norton Utilities spam since then. So who knows?

All of this goes to show that spam is not just an annoyance. It has the potential to wreak havoc. Suppose a less scrupulous person had found those credit card numbers. And of course, it makes you wonder about what the person who does have access to them is doing with those credit card numbers.

Last week I received an email containing the Beagle virus from one of the sites I monitor, Gift Fox. I sent a letter to them with no response, but my guess is that their entire database of names was sent the same email with the virus attached.

Recently I have been receiving spam emails from Spyware Nuker (a software program that supposedly destroys spyware programs on your computer). The return addresses in the sender's email were faked. Maybe another rogue affiliate. Who knows?

My single American-Giveaways opt-in that I featured when we first started this column has landed me on over 250 individual mailing lists to date, and has generated 8,833 emails since I signed up for my free Blank CD-ROMs back in September (I never did see those CD-ROMs, by the way).

It's all a bit scary. Who is watching the store? Who do you go to for protection? We have focused legislation around delivery. We've done nothing to battle fraud.

Maybe we are fighting the wrong battle.